SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 2

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0 (sch jp)

...

While this statement typically holds true, it can be misleading since it does not account for instances that use values of static final fields initialized at a later stage. Even if a field is static final, it is not necessarily initialized at first go.

...

Noncompliant Code Example

This non-compliant noncompliant example contrives to calculate the account balance by subtracting the processing fee from the deposited amount, but fails miserably. The Cycle class object c is instantiated before the deposit field gets initialized. ThusAs a result, the constructor Cycle is invoked which computes the balance based on the initial value of deposit (0) rather than the random value. As a result, the balance always remains -10.

...

Code Block
bgColor#FFcccc
public class Cycle {
  private static final Cycle c = new Cycle();
  private final int balance;
  private static final int deposit =  (int) (Math.random() * 100); //random deposit

  public Cycle(){
    balance = deposit - 10; //subtract processing fee
  }

  public static void main(String[] args) {
    System.out.println("The account balance is: " + c.balance);	
  }
}

Compliant Solution

This compliant solution changes the initialization order of the class Cycle so that the fields meant to be used in computations get duly initialized. As initialization cycles can become insidious when many classes are involved, proper care must be taken to inspect the control flow.

Code Block
bgColor#ccccff
public class Cycle {
  private final int balance;
  private static final int deposit =  (int) (Math.random() * 100); //random deposit
  private static final Cycle c = new Cycle();  //inserted after initialization of required fields
  public Cycle(){
    balance = deposit - 10; //subtract processing fee
  }

  public static void main(String[] args) {
    System.out.println("The account balance is: " + c.balance);	
  }
}

Risk Assessment

TODO

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC00-J

??

??

??

P??

L??

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

JLS JLS 8.3.2.1 Initializers for Class Variables, JLS 12.4 Initialization of Classes and Interfaces
Puzzlers, Traps 49 "be careful of class initialization cycles"